Does HIPAA require that health care providers obtain patient authorization to disclose PHI for treatment purposes?

This resource is part of the AMA's Debunking Regulatory Myths series, supporting AMA's practice transformation efforts to provide physicians and their care teams with resources to reduce guesswork and administrative burdens.

Apart from psychotherapy notes—in which specific requirements apply—health care providers are not required to procure authorization or consent from patients to disclose protected health information (PHI) to another clinician or clinical entity for treatment purposes under HIPAA, as the HIPAA Privacy Rule permits such disclosures to facilitate patient care.^1,2,3

• Patient Privacy and Confidentiality H-315.983

To reduce administrative burden and streamline care coordination, physicians may share PHI with other clinicians for treatment purposes without the unnecessary step of obtaining patient authorization (except for psychotherapy notes). 

• Code of Federal Regulation Section 164.506- Uses and Disclosures to Carry Out Treatment, Payment, or Health Care Operations. Accessed October 2022.
• HHS Description of 45 CFR 164.506. Accessed October 2022.

1. Department of Health and Human Services. Section 164.506 - Uses and Disclosures to Carry out Treatment, Payment, or Health Care Operations.; 2003. Accessed October 12, 2022. https://www.govinfo.gov/content/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec164-506.xml
2. Office for Civil Rights. Does a physician need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider who will treat the patient? HHS.gov. Published December 19, 2002. Accessed October 12, 2022. https://www.hhs.gov/hipaa/for-professionals/faq/271/does-a-physician-need-written-authorization-to-send-medical-records-to-a-specialist/index.html
3. Office for Civil Rights HIPPA Privacy. Uses and Disclosures for Treatment, Payment, and Health Care Operations. HHS.gov. Published December 3, 2003. Accessed October 12, 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html

Visit the overview page for information on additional myths.

Disclaimer: The AMA's Debunking Regulatory Myths (DRM) series is intended to convey general information only, based on guidance issued by applicable regulatory agencies, and not to provide legal advice or opinions. The contents within DRM should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. An attorney should be contacted for advice on specific legal issues. Additionally, all applicable laws and accreditation standards should be considered when applying information to your own practice.